[coreboot] Microcode updates for slightly older intel CPU's re: meltdown/spectre

[Daniel Kulesz]

Hi,

afaik, Intel did not publish any info about the affectedness of the Core2Duo generation to date. I tried the Spectre-Demos for variant 1 on the X200 [1], and it seems unaffected while e.g. the Opterons on the KGPE-D16 are just as affected as all those Intel CPUs. Nevertheless, this should be fixable by OS updates only so nothing to worry about. It's only that ATM afaik only CentOS/RHEL ships updates for v1, as they have not been integrated into the Linux kernel yet. Regarding v3, there is not much to worry about either since it's also fixable by the KPTI-Kernel patch most distros should already have included by now (the one that is known to cause performance impact).

The remaining and most important question is regarding v2, where the situation is unclear. And no, Qubes will not protect you from v2 because it allows the "isolated" stuff you run in your VM to escape this isolation and e.g. read the Host's memory - i.e. Dom0 in Qubes-speak.

Regarding the 2nd and 3rd core-i-gen: Since Lenovo announced to release updates for the T530, and taking into account that some early "low-end" versions of the T530 had a 2nd-gen core-i CPU, there is (very) slight hope Intel will provide microcode updates for this generation. However, I haven't seen any other vendor than Lenovo making announcements about devices from these generations, so I have some doubt that Lenovo will provide updates at all.

Regarding the impact: Not having fixes for v2 does not render the machine completely insecure, but you basically know for sure that you can't expect getting any secure isolation by running untrusted code in VMs. However, since the X200 has no IOMMU, I am not sure to which degree the level of isolation provided before was secure anyways.

Cheers, Daniel

[1] https://gist.github.com/ErikAugust/724d4a969fb2c6ae1bbd7b2a9e3d4bb6